Fortinet black logo

JSON API Incident Integration

JSON API Incident Integration

These JSON REST APIs allow you to integrate incidents from FortiSIEM. This is used for ServiceNow SecOps integration.

A list of FortiSIEM Incident attributes can be found here.

Refer to Example Usage for Incident Integration examples.

Fetch Incidents

This API retrieves incidents from FSIEM database.

Release Added: 6.3.0

URI Method Additional Information
/phoenix/rest/pub/incident GET

Parameters

"status": [0],

* "incidentId":[8064],

* "timeFrom": 1620677781736, (Required)

* "timeTo": 1620684981736, (Required)

* "start":0,(optional)

* "size": 500 (by default, return 500 incidents each time)

/phoenix/rest/pub/incident POST

Payload:

{
    "filters": {
           " status": [0],
            "incidentId":[8064]
},
"start":0,(optional)
"size":500,(by default, return 500 incidents each time)
    "timeFrom": 1620677781736, (Required if incidentId is not specified)
"timeTo": 1620684981736, (Required if incidentId is not specified)
    "orderBy": "incidentLastSeen", (this field must be in the list of fields)
    "descending": true, 
   "fields": [
        "eventSeverityCat",
        "eventSeverity",
        "incidentLastSeen",
        "incidentFirstSeen",
        "eventType",
        "eventName",
        "incidentSrc",
        "incidentTarget",
        "incidentDetail",
        "incidentRptIp",
        "incidentRptDevName",
        "incidentStatus",
        "incidentComments",
        "customer",
        "incidentClearedReason",
        "incidentClearedTime",
        "incidentClearedUser",
        "count",
        "incidentId",
        "incidentSrc",
        "incidentTarget",
        "incidentExtUser",
        "incidentExtClearedTime",
        "incidentExtTicketId",
        "incidentExtTicketState",
        "incidentExtTicketType",
        "incidentReso",
        "phIncidentCategory",
        "phSubIncidentCategory",
        "incidentTitle",
        "attackTechnique",
        "attackTactic"
    ]
}

Returns:

{
    "total": 317,
   "start":0,
    "size": 10,
    "data": [
        {
            "incidentTitle": "SNMP service down on wk5794.fortinet.com",
            "eventSeverity": 10,
            "incidentFirstSeen": 1621941030000,
            "incidentReso": 1,
            "incidentRptIp": "172.30.57.94",
            "incidentLastSeen": 1621987770000,
            "incidentSrc": "",
            "count": 54,
            "attackTechnique": "[{\"name\": \"Service Stop\", \"techniqueid\": \"T1489\"}]",
            "eventType": "PH_RULE_SNMP_DOWN",
            "phIncidentCategory": 1,
            "incidentClearedTime": 0,
            "incidentTarget": "hostIpAddr:172.30.57.94, hostName:wk5794.fortinet.com,",
            "attackTactic": "Impact",
            "eventSeverityCat": "HIGH",
            "incidentDetail": "",
            "incidentRptDevName": "wk5794.fortinet.com",
            "eventName": "SNMP Service Unavailable",
            "incidentId": 114780,
            "incidentStatus": 0,
            "customer": "Super"
        },
      . ..
   ]
}

Fetch Trigger Events

This API retrieves triggering events from incidents.

Release Added: 6.3.0

URI Method Additional Information
/phoenix/rest/pub/incident/triggeringEvents?incidentId=8&size=10 GET

Parameters:

incidentId: FortiSIEM incident Id

(Required) size: indicates how many trigger events return, 10 events by default if no size specific.

Returns:

[
    {
        "custId": 1, 
        "index": 0, 
        "id": 6482650188627892000, 
        "eventType": "PH_DEV_MON_PERFMON_JOB_DELAY_HIGH", 
        "receiveTime": 1621557630000, 
        "rawMessage": "<174>May 20 17:40:30 [PH_DEV_MON_PERFMON_JOB_DELAY_HIGH]:[jobName]=CPU Util(SNMP),[phCustId]=1,[hostName]=FGT50E3U17000553,[eventSeverity]=PHL_INFO,[phEventCategory]=3,[hostIpAddr]=172.30.58.50,[procName]=AppServer,[relayDevName]=sp5875,[relayDevIpAddr]=172.30.58.75,[phLogDetail]=A performance metric delay for a single device crossed high water mark", 
        "nid": "6482650188627892238", 
        "attributes": {
            "1": "PH_DEV_MON_PERFMON_JOB_DELAY_HIGH", 
            "2": 1, 
            "7": 1621557630000, 
            "8": "172.30.58.75", 
            "9": "172.30.58.75", 
            "10": "sp5875", 
            "11": "sp5875", 
            "12": 1, 
            "13": "<174>May 20 17:40:30 [PH_DEV_MON_PERFMON_JOB_DELAY_HIGH]:[jobName]=CPU Util(SNMP),[phCustId]=1,[hostName]=FGT50E3U17000553,[eventSeverity]=PHL_INFO,[phEventCategory]=3,[hostIpAddr]=172.30.58.50,[procName]=AppServer,[relayDevName]=sp5875,[relayDevIpAddr]=172.30.58.75,[phLogDetail]=A performance metric delay for a single device crossed high water mark", 
            "15": 6482650188627892000, 
            "16": 3, 
            "17": 1, 
            "21": 1, 
            "24": "LOW", 
            "43": "Fortinet", 
            "44": "FortiSIEM", 
            "53": "Super", 
            "110": 1, 
            "122": "PHBoxParser", 
            "129": 1, 
            "1005": "172.30.58.50", 
            "1006": "FGT50E3U17000553", 
            "2007": "AppServer", 
            "4506": "CPU Util(SNMP)"
        }, 
        "eventAttributes": [ ], 
        "dataStr": { }
    }
]

Update Incidents

This API allows you to update incident ticket status.

Release Added: 6.3.0

URI Method Additional Information
/phoenix/rest/pub/incident/update/{incidentId} POST

Parameter:

IncidentId: FortiSIEM incident Id (Required)

Payload:

{
        "incidentExtUser":"User A",
        "incidentExtClearedTime":1620677781736,  (Timestamp)
        "incidentExtTicketId":"INS00456",  (Required)
        "incidentExtTicketState":"Closed",
        "incidentExtTicketType":""
}

Integer Field Mapping to Descriptions

Incident Status

"incidentStatus":,

ACTIVE = 0;

AUTOMATICALLY CLEARED = 1;

MANUALLY CLEARED = 2;

SYSTEM CLEARED = 3

Incident Resolution

"incidentReso":

None = 0

Open = 1

TruePositive = 2

FalsePositive = 3

InProgress = 4

Incident Category

"phIncidentCategory":,

AVAILABILITY = 1;

PERFORMANCE = 2;

CHANGE = 3;

SECURITY = 4;

OTHER = 5;

FortiSIEM Incident Attributes List

"eventSeverityCat",

"eventSeverity",

"incidentLastSeen",

"incidentFirstSeen",

"eventType",

"eventName",

"incidentSrc",

"incidentTarget",

"incidentDetail",

"incidentRptIp",

"incidentRptDevName",

"incidentStatus",

"incidentComments",

"customer",

"incidentClearedReason",

"incidentClearedTime",

"incidentClearedUser",

"count",

"incidentId",

"incidentExtUser",

"incidentExtClearedTime",

"incidentExtTicketId",

"incidentExtTicketState",

"incidentExtTicketType",

"incidentReso",

"phIncidentCategory",

"phSubIncidentCategory",

"incidentTitle",

"attackTechnique",

"attackTactic"

JSON API Incident Integration

These JSON REST APIs allow you to integrate incidents from FortiSIEM. This is used for ServiceNow SecOps integration.

A list of FortiSIEM Incident attributes can be found here.

Refer to Example Usage for Incident Integration examples.

Fetch Incidents

This API retrieves incidents from FSIEM database.

Release Added: 6.3.0

URI Method Additional Information
/phoenix/rest/pub/incident GET

Parameters

"status": [0],

* "incidentId":[8064],

* "timeFrom": 1620677781736, (Required)

* "timeTo": 1620684981736, (Required)

* "start":0,(optional)

* "size": 500 (by default, return 500 incidents each time)

/phoenix/rest/pub/incident POST

Payload:

{
    "filters": {
           " status": [0],
            "incidentId":[8064]
},
"start":0,(optional)
"size":500,(by default, return 500 incidents each time)
    "timeFrom": 1620677781736, (Required if incidentId is not specified)
"timeTo": 1620684981736, (Required if incidentId is not specified)
    "orderBy": "incidentLastSeen", (this field must be in the list of fields)
    "descending": true, 
   "fields": [
        "eventSeverityCat",
        "eventSeverity",
        "incidentLastSeen",
        "incidentFirstSeen",
        "eventType",
        "eventName",
        "incidentSrc",
        "incidentTarget",
        "incidentDetail",
        "incidentRptIp",
        "incidentRptDevName",
        "incidentStatus",
        "incidentComments",
        "customer",
        "incidentClearedReason",
        "incidentClearedTime",
        "incidentClearedUser",
        "count",
        "incidentId",
        "incidentSrc",
        "incidentTarget",
        "incidentExtUser",
        "incidentExtClearedTime",
        "incidentExtTicketId",
        "incidentExtTicketState",
        "incidentExtTicketType",
        "incidentReso",
        "phIncidentCategory",
        "phSubIncidentCategory",
        "incidentTitle",
        "attackTechnique",
        "attackTactic"
    ]
}

Returns:

{
    "total": 317,
   "start":0,
    "size": 10,
    "data": [
        {
            "incidentTitle": "SNMP service down on wk5794.fortinet.com",
            "eventSeverity": 10,
            "incidentFirstSeen": 1621941030000,
            "incidentReso": 1,
            "incidentRptIp": "172.30.57.94",
            "incidentLastSeen": 1621987770000,
            "incidentSrc": "",
            "count": 54,
            "attackTechnique": "[{\"name\": \"Service Stop\", \"techniqueid\": \"T1489\"}]",
            "eventType": "PH_RULE_SNMP_DOWN",
            "phIncidentCategory": 1,
            "incidentClearedTime": 0,
            "incidentTarget": "hostIpAddr:172.30.57.94, hostName:wk5794.fortinet.com,",
            "attackTactic": "Impact",
            "eventSeverityCat": "HIGH",
            "incidentDetail": "",
            "incidentRptDevName": "wk5794.fortinet.com",
            "eventName": "SNMP Service Unavailable",
            "incidentId": 114780,
            "incidentStatus": 0,
            "customer": "Super"
        },
      . ..
   ]
}

Fetch Trigger Events

This API retrieves triggering events from incidents.

Release Added: 6.3.0

URI Method Additional Information
/phoenix/rest/pub/incident/triggeringEvents?incidentId=8&size=10 GET

Parameters:

incidentId: FortiSIEM incident Id

(Required) size: indicates how many trigger events return, 10 events by default if no size specific.

Returns:

[
    {
        "custId": 1, 
        "index": 0, 
        "id": 6482650188627892000, 
        "eventType": "PH_DEV_MON_PERFMON_JOB_DELAY_HIGH", 
        "receiveTime": 1621557630000, 
        "rawMessage": "<174>May 20 17:40:30 [PH_DEV_MON_PERFMON_JOB_DELAY_HIGH]:[jobName]=CPU Util(SNMP),[phCustId]=1,[hostName]=FGT50E3U17000553,[eventSeverity]=PHL_INFO,[phEventCategory]=3,[hostIpAddr]=172.30.58.50,[procName]=AppServer,[relayDevName]=sp5875,[relayDevIpAddr]=172.30.58.75,[phLogDetail]=A performance metric delay for a single device crossed high water mark", 
        "nid": "6482650188627892238", 
        "attributes": {
            "1": "PH_DEV_MON_PERFMON_JOB_DELAY_HIGH", 
            "2": 1, 
            "7": 1621557630000, 
            "8": "172.30.58.75", 
            "9": "172.30.58.75", 
            "10": "sp5875", 
            "11": "sp5875", 
            "12": 1, 
            "13": "<174>May 20 17:40:30 [PH_DEV_MON_PERFMON_JOB_DELAY_HIGH]:[jobName]=CPU Util(SNMP),[phCustId]=1,[hostName]=FGT50E3U17000553,[eventSeverity]=PHL_INFO,[phEventCategory]=3,[hostIpAddr]=172.30.58.50,[procName]=AppServer,[relayDevName]=sp5875,[relayDevIpAddr]=172.30.58.75,[phLogDetail]=A performance metric delay for a single device crossed high water mark", 
            "15": 6482650188627892000, 
            "16": 3, 
            "17": 1, 
            "21": 1, 
            "24": "LOW", 
            "43": "Fortinet", 
            "44": "FortiSIEM", 
            "53": "Super", 
            "110": 1, 
            "122": "PHBoxParser", 
            "129": 1, 
            "1005": "172.30.58.50", 
            "1006": "FGT50E3U17000553", 
            "2007": "AppServer", 
            "4506": "CPU Util(SNMP)"
        }, 
        "eventAttributes": [ ], 
        "dataStr": { }
    }
]

Update Incidents

This API allows you to update incident ticket status.

Release Added: 6.3.0

URI Method Additional Information
/phoenix/rest/pub/incident/update/{incidentId} POST

Parameter:

IncidentId: FortiSIEM incident Id (Required)

Payload:

{
        "incidentExtUser":"User A",
        "incidentExtClearedTime":1620677781736,  (Timestamp)
        "incidentExtTicketId":"INS00456",  (Required)
        "incidentExtTicketState":"Closed",
        "incidentExtTicketType":""
}

Integer Field Mapping to Descriptions

Incident Status

"incidentStatus":,

ACTIVE = 0;

AUTOMATICALLY CLEARED = 1;

MANUALLY CLEARED = 2;

SYSTEM CLEARED = 3

Incident Resolution

"incidentReso":

None = 0

Open = 1

TruePositive = 2

FalsePositive = 3

InProgress = 4

Incident Category

"phIncidentCategory":,

AVAILABILITY = 1;

PERFORMANCE = 2;

CHANGE = 3;

SECURITY = 4;

OTHER = 5;

FortiSIEM Incident Attributes List

"eventSeverityCat",

"eventSeverity",

"incidentLastSeen",

"incidentFirstSeen",

"eventType",

"eventName",

"incidentSrc",

"incidentTarget",

"incidentDetail",

"incidentRptIp",

"incidentRptDevName",

"incidentStatus",

"incidentComments",

"customer",

"incidentClearedReason",

"incidentClearedTime",

"incidentClearedUser",

"count",

"incidentId",

"incidentExtUser",

"incidentExtClearedTime",

"incidentExtTicketId",

"incidentExtTicketState",

"incidentExtTicketType",

"incidentReso",

"phIncidentCategory",

"phSubIncidentCategory",

"incidentTitle",

"attackTechnique",

"attackTactic"